Reviewer: Carlos Bernardos Review result: Ready with Nits Reviewer: Carlos J. Bernardos Review result: Ready with nits I am an assigned INT directorate reviewer for draft-ietf-regext-data-escrow These comments were written primarily for the benefit of the Internet Area Directors. Document editors and shepherd(s) should treat these comments just like they would treat comments from any other IETF contributors and resolve them along with any other Last Call comments that have been received. For more details on the INT Directorate, see http://www.ietf.org/iesg/directorate.html. I hope these comments are clear and useful. >From an INT directorate point of view the document is ready, as it does not deal with the mechanisms used to actually transfer the data escrow deposits. I have some comments regarding the security and privacy sections. - In section 10 (Security considerations): "Depending on local policies, some elements or, most likely, the whole deposit will be considered confidential. As such, the registry transmitting the data to the escrow agent should take all the necessary precautions such as encrypting the data itself and/or the transport channel to avoid inadvertent disclosure of private data." I'd assume the should in "escrow agent should take" should be UPPER case, right? "Authentication of the parties passing data escrow deposit files is also of the utmost importance. The escrow agent SHOULD properly authenticate the identity of the registry before accepting data escrow deposits. In a similar manner, the registry SHOULD authenticate the identity of the escrow agent before submitting any data. Additionally, the registry and the escrow agent SHOULD use integrity checking mechanisms to ensure the data transmitted is what the source intended. Validation of the contents by the escrow agent is RECOMMENDED to ensure not only that the file was transmitted correctly from the registry, but also that the contents are "meaningful"." In general, I wonder why not all the SHOULDs in this section are not MUST. But this should be probably better assessed by the SECDIR. - In section 11 (Privacy considerations): "This specification defines a format that may be used to escrow personal data. The process of data escrow is governed by a legal document agreed by the parties, and such legal document must regulate the particularities regarding the protection of personal data." I'd assume the must should be in UPPER case, no? Thanks, Carlos -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call